FlawedAmmyy RAT being spread by a new malware spam attack
A widespread spam campaign from the criminal hacking group TA505 is spreading the FlawedAmmyy RAT via spam campaign containing malicious SettingContent-ms files. The SettingContent-ms file format was introduced in Windows 10. It allows a user to create shortcuts to various Windows 10 setting pages. All this file does is open the Control Panel for the user. The interesting part of this file is the DeepLink element in the schema. This element takes any binary with parameters and executes it. If the control.exe is substituted with another script, when opened, it will executesany command automatically, including cmd.exe and PowerShell, with no prompt to the user. This makes the format a perfect conduit for malware.
The malicious code flies under the radar and the maliciously crafted files bypass certain Windows 10 defenses such as Attack Surface Reduction and detection of OLE-embedded dangerous file formats. Getting victims to open a funky file format attached to an email could be a challenge, so hackers have started embedding these into more innocent looking attachments. Researchers have seen attacks abusing the SettingContent-ms file format within Microsoft Word documents. Earlier this week, researchers found that the the approach is evolving, and being used with PDF documents, a previously unknown technique.
On July 16 there was a large attack with thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file. The messages in the campaign used a lure asking the user to open the attached PDF. When opened, Adobe Reader displays a warning prompt, asking the user if they want to open the file, since it is attempting to run the embedded downl.SettingContent-ms by JavaScript, as it would for any file format embedded within a PDF. If the intended victim clicks the OK prompt, and the PowerShell command contained within the DeepLink element deploys the FlawedAmmyy RAT. FlawedAmmyy RAT have been active since 2016 but haven't been on researcher radar screens until earlier this year.
The RAT is based on leaked source code for version 3 of the Ammyy Admin remote desktop software, and its features include remote desktop control, file system manager, proxy support and audio chat. For victims, hakcers can have complete access to their PCs, giving hackers the ability to access services, steal files and credentials, and much more. Researchers have seen FlawedAmmyy in both massive attacks, potentially creating a large base of infected computers, as well as targeted attacks that create opportunities for actors to steal customer data, proprietary information, and more.
Based on email messages, as well as payload and other identifying characteristics are simillar to previous attacks done by TA505. TA505 is responsible for large malspam campaigns that make use of the Necurs botnet to distribute a range of payloads, including the Dridex banking Trojan, Locky ransomware, Jaff ransomware, The Trick banking trojan, and several others. It operates a variety of C & C servers, allowing it to be resilient in the case of takedowns, sinkholes, and other defensive operations. TA505 tends to operate at very large scale.
Whether it is a well-established group such as TA505 or newer, hackers are quick to adopt new techniques when malware authors and researchers publish new proofs of concept. Researchers believe that TA505 os acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at an enormous scale.